[From nobody Sun Apr 26 10:23:06 2026 Received: (at submit) by bugs.debian.org; 26 Aug 2025 19:18:35 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00, FOURLA, FROMDEVELOPER, KHOP_HELO_FCRDNS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 176; hammy, 149; neutral, 168; spammy, 1. spammytokens:0.999-1--Patient hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--Hx-authordomain:debian.org, 0.000-+--Hx-senderdomain:debian.org Return-path: <carnil@debian.org> Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:54034 helo=eldamar.lan) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <carnil@debian.org>) id 1uqzBj-003IWv-1B for submit@bugs.debian.org; Tue, 26 Aug 2025 19:18:35 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: biosig: CVE-2025-54494 CVE-2025-54493 CVE-2025-54492 CVE-2025-54491 CVE-2025-54490 CVE-2025-54489 CVE-2025-54488 CVE-2025-54487 CVE-2025-54486 CVE-2025-54485 CVE-2025-54484 CVE-2025-54483 CVE-2025-54482 CVE-2025-54481 CVE-2025-54480 CVE-2025-54462 CVE-2025-53853 CVE-2025-53557 CVE-2025-53518 CVE-2025-53511 CVE-2025-52581 CVE-2025-52461 CVE-2025-48005 CVE-2025-46411 Message-ID: <175623591181.4175989.9686260571553800221.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Tue, 26 Aug 2025 21:18:31 +0200 Delivered-To: submit@bugs.debian.org Source: biosig Version: 3.9.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerabilities were published for biosig. CVE-2025-54494[0]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 9205 of biosig.c on the current master branch (35a819fa), when the | Tag is 133: else if (tag==133) //0x85 | { curPos += ifread(buf,1,len,hdr); CVE-2025-54493[1]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 9184 of biosig.c on the current master branch (35a819fa), when the | Tag is 131: else if (tag==131) //0x83 | { // Patient Age if | (len!=7) fprintf(stderr,"Warning MFER tag131 incorrect length | %i!=7\n",len); curPos += ifread(buf,1,len,hdr); CVE-2025-54492[2]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 9141 of biosig.c on the current master branch (35a819fa), when the | Tag is 67: else if (tag==67) //0x43: Sample | skew { int skew=0; // [1] | curPos += ifread(&skew, 1, len,hdr); In this case, the address of | the newly-defined integer `skew` \[1\] is overflowed instead of | `buf`. This means a stack overflow can occur using much smaller | values of `len` in this code path. CVE-2025-54491[3]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 9191 of biosig.c on the current master branch (35a819fa), when the | Tag is 65: else if (tag==65) //0x41: patient | event { // event table | curPos += ifread(buf,1,len,hdr); CVE-2025-54490[4]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 9090 of biosig.c on the current master branch (35a819fa), when the | Tag is 64: else if (tag==64) //0x40 | { // preamble char | tmp[256]; // [1] curPos += | ifread(tmp,1,len,hdr); In this case, the overflowed buffer is the | newly-declared `tmp` \[1\] instead of `buf`. While `tmp` is larger | than `buf`, having a size of 256 bytes, a stack overflow can still | occur in cases where `len` is encoded using multiple octets and is | greater than 256. CVE-2025-54489[5]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8970 of biosig.c on the current master branch (35a819fa), when the | Tag is 63: else if (tag==63) { | uint8_t tag2=255, len2=255; count = 0; | while ((count<len) && !(FlagInfiniteLength && len2==0 && tag2==0)){ | curPos += ifread(&tag2,1,1,hdr); curPos += | ifread(&len2,1,1,hdr); if | (VERBOSE_LEVEL==9) | fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i | curPos=%i %li | count=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count); | if (FlagInfiniteLength && len2==0 && tag2==0) break; | count += (2+len2); curPos += | ifread(&buf,1,len2,hdr); Here, the number of bytes read is not | the Data Length decoded from the current frame in the file (`len`) | but rather is a new length contained in a single octet read from the | same input file (`len2`). Despite this, a stack-based buffer | overflow condition can still occur, as the destination buffer is | still `buf`, which has a size of only 128 bytes, while `len2` can be | as large as 255. CVE-2025-54488[6]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8850 of biosig.c on the current master branch (35a819fa), when the | Tag is 13: else if (tag==13) { | if (len>8) fprintf(stderr,"Warning MFER tag13 incorrect length | %i>8\n",len); curPos += ifread(&buf,1,len,hdr); CVE-2025-54487[7]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8842 of biosig.c on the current master branch (35a819fa), when the | Tag is 12: else if (tag==12) //0x0C | { // sampling resolution | if (len>6) fprintf(stderr,"Warning MFER tag12 incorrect length | %i>6\n",len); val32 = 0; | int8_t v8; curPos += | ifread(&UnitCode,1,1,hdr); curPos += | ifread(&v8,1,1,hdr); curPos += | ifread(buf,1,len-2,hdr); In addition to values of `len` greater | than 130 triggering a buffer overflow, a value of `len` smaller than | 2 will also trigger a buffer overflow due to an integer underflow | when computing `len-2` in this code path. CVE-2025-54486[8]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8824 of biosig.c on the current master branch (35a819fa), when the | Tag is 11: else if (tag==11) //0x0B | { // Fs if (len>6) | fprintf(stderr,"Warning MFER tag11 incorrect length %i>6\n",len); | double fval; curPos += ifread(buf,1,len,hdr); CVE-2025-54485[9]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8785 of biosig.c on the current master branch (35a819fa), when the | Tag is 8: else if (tag==8) { | if (len>2) fprintf(stderr,"Warning MFER tag8 incorrect length | %i>2\n",len); curPos += ifread(buf,1,len,hdr); CVE-2025-54484[10]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8779 of biosig.c on the current master branch (35a819fa), when the | Tag is 6: else if (tag==6) | // 0x06 "number of sequences" { | // NRec if (len>4) | fprintf(stderr,"Warning MFER tag6 incorrect length %i>4\n",len); | curPos += ifread(buf,1,len,hdr); CVE-2025-54483[11]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8759 of biosig.c on the current master branch (35a819fa), when the | Tag is 5: else if (tag==5) | //0x05: number of channels { | uint16_t oldNS=hdr->NS; if | (len>4) fprintf(stderr,"Warning MFER tag5 incorrect length | %i>4\n",len); curPos += | ifread(buf,1,len,hdr); CVE-2025-54482[12]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8751 of biosig.c on the current master branch (35a819fa), when the | Tag is 4: else if (tag==4) { | // SPR if (len>4) | fprintf(stderr,"Warning MFER tag4 incorrect length %i>4\n",len); | curPos += ifread(buf,1,len,hdr); CVE-2025-54481[13]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8744 of biosig.c on the current master branch (35a819fa), when the | Tag is 3: else if (tag==3) { | // character code char | v[17]; // [1] if | (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length | %i>16\n",len); curPos += | ifread(&v,1,len,hdr); v[len] | = 0; In this case, the overflowed buffer is the newly-declared | `v` \[1\] instead of `buf`. Since `v` is only 17 bytes large, much | smaller values of `len` (even those encoded using a single octet) | can trigger an overflow in this code path. CVE-2025-54480[14]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability.This vulnerability manifests on line | 8719 of biosig.c on the current master branch (35a819fa), when the | Tag is 0: if (tag==0) { | if (len!=1) fprintf(stderr,"Warning MFER tag0 incorrect length | %i!=1\n",len); curPos += | ifread(buf,1,len,hdr); } CVE-2025-54462[15]: | A heap-based buffer overflow vulnerability exists in the Nex parsing | functionality of The Biosig Project libbiosig 3.9.0 and Master | Branch (35a819fa). A specially crafted .nex file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. CVE-2025-53853[16]: | A heap-based buffer overflow vulnerability exists in the ISHNE | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted ISHNE ECG annotations | file can lead to arbitrary code execution. An attacker can provide a | malicious file to trigger this vulnerability. CVE-2025-53557[17]: | A heap-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. CVE-2025-53518[18]: | An integer overflow vulnerability exists in the ABF parsing | functionality of The Biosig Project libbiosig 3.9.0 and Master | Branch (35a819fa). A specially crafted ABF file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. CVE-2025-53511[19]: | A heap-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. CVE-2025-52581[20]: | An integer overflow vulnerability exists in the GDF parsing | functionality of The Biosig Project libbiosig 3.9.0 and Master | Branch (35a819fa). A specially crafted GDF file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. CVE-2025-52461[21]: | An out-of-bounds read vulnerability exists in the Nex parsing | functionality of The Biosig Project libbiosig 3.9.0 and Master | Branch (35a819fa). A specially crafted .nex file can lead to an | information leak. An attacker can provide a malicious file to | trigger this vulnerability. CVE-2025-48005[22]: | A heap-based buffer overflow vulnerability exists in the RHS2000 | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted RHS2000 file can lead | to arbitrary code execution. An attacker can provide a malicious | file to trigger this vulnerability. CVE-2025-46411[23]: | A stack-based buffer overflow vulnerability exists in the MFER | parsing functionality of The Biosig Project libbiosig 3.9.0 and | Master Branch (35a819fa). A specially crafted MFER file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54494 https://www.cve.org/CVERecord?id=CVE-2025-54494 [1] https://security-tracker.debian.org/tracker/CVE-2025-54493 https://www.cve.org/CVERecord?id=CVE-2025-54493 [2] https://security-tracker.debian.org/tracker/CVE-2025-54492 https://www.cve.org/CVERecord?id=CVE-2025-54492 [3] https://security-tracker.debian.org/tracker/CVE-2025-54491 https://www.cve.org/CVERecord?id=CVE-2025-54491 [4] https://security-tracker.debian.org/tracker/CVE-2025-54490 https://www.cve.org/CVERecord?id=CVE-2025-54490 [5] https://security-tracker.debian.org/tracker/CVE-2025-54489 https://www.cve.org/CVERecord?id=CVE-2025-54489 [6] https://security-tracker.debian.org/tracker/CVE-2025-54488 https://www.cve.org/CVERecord?id=CVE-2025-54488 [7] https://security-tracker.debian.org/tracker/CVE-2025-54487 https://www.cve.org/CVERecord?id=CVE-2025-54487 [8] https://security-tracker.debian.org/tracker/CVE-2025-54486 https://www.cve.org/CVERecord?id=CVE-2025-54486 [9] https://security-tracker.debian.org/tracker/CVE-2025-54485 https://www.cve.org/CVERecord?id=CVE-2025-54485 [10] https://security-tracker.debian.org/tracker/CVE-2025-54484 https://www.cve.org/CVERecord?id=CVE-2025-54484 [11] https://security-tracker.debian.org/tracker/CVE-2025-54483 https://www.cve.org/CVERecord?id=CVE-2025-54483 [12] https://security-tracker.debian.org/tracker/CVE-2025-54482 https://www.cve.org/CVERecord?id=CVE-2025-54482 [13] https://security-tracker.debian.org/tracker/CVE-2025-54481 https://www.cve.org/CVERecord?id=CVE-2025-54481 [14] https://security-tracker.debian.org/tracker/CVE-2025-54480 https://www.cve.org/CVERecord?id=CVE-2025-54480 [15] https://security-tracker.debian.org/tracker/CVE-2025-54462 https://www.cve.org/CVERecord?id=CVE-2025-54462 [16] https://security-tracker.debian.org/tracker/CVE-2025-53853 https://www.cve.org/CVERecord?id=CVE-2025-53853 [17] https://security-tracker.debian.org/tracker/CVE-2025-53557 https://www.cve.org/CVERecord?id=CVE-2025-53557 [18] https://security-tracker.debian.org/tracker/CVE-2025-53518 https://www.cve.org/CVERecord?id=CVE-2025-53518 [19] https://security-tracker.debian.org/tracker/CVE-2025-53511 https://www.cve.org/CVERecord?id=CVE-2025-53511 [20] https://security-tracker.debian.org/tracker/CVE-2025-52581 https://www.cve.org/CVERecord?id=CVE-2025-52581 [21] https://security-tracker.debian.org/tracker/CVE-2025-52461 https://www.cve.org/CVERecord?id=CVE-2025-52461 [22] https://security-tracker.debian.org/tracker/CVE-2025-48005 https://www.cve.org/CVERecord?id=CVE-2025-48005 [23] https://security-tracker.debian.org/tracker/CVE-2025-46411 https://www.cve.org/CVERecord?id=CVE-2025-46411 [24] https://sourceforge.net/p/biosig/mailman/message/59224259/ Regards, Salvatore ]